[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Whonix AppArmor Profiles Development Discussion


#262

Please try running “pidgin” from terminal. Perhaps that requires a few extra permissions.


#263
Since many irc networks support SSL, I guess we could replace.
/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt r,

With.

/usr/share/ca-certificates/** r,

How does that sound?

Good. The profile is more robust.

I fixed a few already: https://github.com/Whonix/apparmor-profile-pidgin/commit/dae348af643e62a9256e76db51599aee6a8a530e

But for those in /tmp and /home I don’t know how to sanely add them.

I have pushed the updated profile. It should work.

I cannot reproduce those messages. Are you using a video or audio editor, like gstreamer?


#264

A long standing issue: to open a link, we had to use “Copy link location” and past it in the browser. The Tor browser now is opened when clicking the link.

“usr.lib.icedove.icedove”.

  • Had to allow reading the whole home folder in order to select “/home/user/tor-browser_*/Browser/firefox” as the link application.
  • If the Tor browser is already open, the link is opened in a new tab.

'usr.bin.pigin".

  • When clicking a link, Pidgin opens a warning popup, and opens a new instance of the Tor browser.
  • Originally, for “orcexec”, only write permissions was denied. It is read/write now.

Both profiles are pushed in troubadoour.


#265
Please try running "pidgin" from terminal. Perhaps that requires a few extra permissions

Forgot that one. Pushed the profile with a minor modification.


#266

Troubadour, just letting you know that upstream TPO is interested in all the help they can get to create and collect Apparmor profiles.

https://trac.torproject.org/projects/tor/ticket/5791

Micah Lee is the member that seems most responsive and active in this area.
Also there are plans to make profiles that constrain Flas plugin in TBB.

As a side question, Does Whonix ship with the set of Apparmor profiles that are currently available for Debian?


#267

To answer Patrick’s implied question and yours, yes, I am ready to start a collaborative work on AppArmor. It really makes sense and It will be a change, me working like a poor lonesome cowboy :(. Not true actually. Thanks Patrick for your commitment and limitless availability and patience (for me, especially on git…).

As suggested, the best place where to start seems at Micah Lee’s, with Radostan’help, if he is willing to collaborate. And I came across some quite good works on AppArmor, in some places I have to find again.


VLC Apparmor Profile (WIP) / streaming documentation for Whonix / install youtube-dl by default
#268

More notes on Collaboration:

I assume our longterm goal is to have Whonix profiles upstreamed to take off the maintenance burden and also expanding the total number of profiles on Debian to protect as much software on the platform as possible.

All the profiles Debian currently covers are listed under this package - which I recommend we add if we don’t use it right now.

https://packages.debian.org/wheezy/all/apparmor-profiles/filelist

Who can we talk too?

TPO’s Jacob is a Debian user and contributor who holds major influence. From what he has proposed and said, he is a big proponent of using OS mechanisms for hardening for Tor components. We can talk to him for getting Apparmor profiles in general and Whonix profiles upstreamed.

Intrigeri TAILS dev and Apparmor package maintainer for Debian.

Work Plan

First is the network facing software which I see you’ve done a great job on. Next comes popular software, especially complex packages should be targeted for profile support first. Examples are VLC, LibreOffice.
Since you already overworked, I’ll focus on scavenging for profiles already written that we can pass on upstream for addition after some minor testing.


#269

VLC profile I found that may need some tuning because it excludes components related to Nvidia which are not relevant to our virtual environment:

[code] # Last Modified: Sat Mar 31 01:45:41 2012
#include <tunables/global>

/usr/bin/vlc {
  #include <abstractions/base>
  #include <abstractions/nvidia>


  capability ipc_lock,


  deny /etc/passwd r,
  deny /etc/apparmor.d/** r,
  deny /root/** r,
  deny /selinux/** r,
  deny /boot/** r,
  deny /opt/** r,
  deny /sbin/** r,

  /bin/dash r,
  /bin/grep rix,
  /bin/mv rix,
  /bin/sed rix,
  /bin/sleep rix,
  /bin/which rix,
  /dev/ r,
  /dev/ati/card0 rw,
  /etc/fonts/** r,
  /etc/nsswitch.conf r,
  /etc/pulse/client.conf r,
  /etc/xdg/Trolltech.conf rk,
  /etc/xdg/sni-qt.conf rk,
  /home/** rk,
  /proc/*/auxv r,
  /proc/*/cmdline r,
  /proc/*/status r,
  /proc/ati/* r,
  /proc/modules r,
  /run/shm/ r,
  /run/shm/* rw,
  /sys/devices/system/*/ r,
  /tmp/** rw,
  /tmp/**/ rw,
  /usr/** rk,
  /usr/bin/dbus-send rix,
  /usr/bin/xdg-screensaver rix,
  /usr/lib{,32,64}/** mrw,
  /var/cache/** r,
  /var/lib/dbus/machine-id r,
  /var/lib/defoma/fontconfig.d/* r,

}

[/code]


#270

After some time searching, all I found were two older profiles written for OpenJDK7 and nothing for Libreoffice


#271

Looks like Apparmor profiles for these packages and more are on Micah’s radar.


#272

If we want to upstream or hope for upstream to take it, we should not strip the virtual environment specific parts. Also there is Whonix with physical isolation.


#273
I assume our longterm goal is to have Whonix profiles upstreamed to take off the maintenance burden and also expanding the total number of profiles on Debian to protect as much software on the platform as possible.
Sure. At least in theory this sounds nice and is an adorable goal. Practicality is a different thing.

Let’s go back how this whole thread and troubadour’s work started. I think troubadour said, he rather contributes to the Whonix project, because… Well, I better don’t put words in someone’s mouth. The idea of upstreaming began here:
https://www.whonix.org/forum/index.php/topic,24.msg269.html#msg269

Another statement about difficulty with upstreaming here:
https://www.whonix.org/forum/index.php/topic,97.msg728.html#msg728

My reply:
https://www.whonix.org/forum/index.php/topic,97.msg732.html#msg732

troubadour:
https://www.whonix.org/forum/index.php/topic,97.msg744.html#msg744

TPO's Jacob is a Debian user and contributor who holds major influence. From what he has proposed and said, he is a big proponent of using OS mechanisms for hardening for Tor components. We can talk to him for getting Apparmor profiles in general and Whonix profiles upstreamed.
I think he is overworked already. Worth a try.
All the profiles Debian currently covers are listed under this package - which I recommend we add if we don't use it right now.

https://packages.debian.org/wheezy/all/apparmor-profiles/filelist


I think they want you to contact the Debian maintainer of the original package first. Perhaps even better to contact the maintainer of the software first.
Intrigeri TAILS dev and Apparmor package maintainer for Debian.
Since you already overworked, I'll focus on scavenging for profiles already written that we can pass on upstream for addition after some minor testing.
Well, this all sounds very nice in theory.

In practice this is very time consuming and frustrating. To my experience you’re not running into open doors. “We cooked something nice up in Whonix, here is the link, works quite well, can you test it yourself, do last changes and please merge it into your package” doesn’t work. Don’t mention Whonix. You need a pure Debian testing (or sid?) development environment. And most times they don’t accept git branches and ask for things such as tested patches and debdiffs. Seems difficult to me to interact well with Debian devs if you have never met them in person.

For example just have a look at the “add /etc/bashrc.d feature” discussion:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675008

So you need frustration tolerance. If troubadour feels like upstreaming stuff, I’ll be very happy about this. But if not, I can totally understand this.


#274
Sure. At least in theory this sounds nice and is an adorable goal. Practicality is a different thing.

After what you described I can understand how difficult it is to get anything up there in Debian. Resistance to change is what Debian is known for. But maybe thats a good thing if you look at how they held off from including Upstart and went with systemd when it matured.

Its best to just keep focusing on our own anonymity packages and keep our fingers crossed that Tor mainline profiles eventually get in there and offload some stuff from your shoulders.

If you think talking to Jacob is worth a shot, I will write a draft of what we can say and you send it if thats ok.

I think they want you to contact the Debian maintainer of the original package first. Perhaps even better to contact the maintainer of the software first.

I was asking if Whonix already uses apparmor-profiles package out of the box. that way we protect the few daemons whose profiles are already included.

With your help I am planning to create a profile for ucspi-tcp eventually after testing is finished.


#275
If you think talking to Jacob is worth a shot, I will write a draft of what we can say and you send it if thats ok.

Got some questions about this…

Private mail to Jacob? That is always a bit intransparent. I need to ask if I may publish it and may or may not get an answer. And for any follow up and what has been talked about, getting difficult.

Why contact individuals when we could write to in general in public places (mailing list, bug tracker)?

I recently added an overview to their apparmor ticket #5791:
https://trac.torproject.org/projects/tor/ticket/5791#comment:31

What else could be done? Write Jacob a one liner, “have you seen the overview there”?

But no one seems to work on #5791 at the moment. “Keywords: SponsorZ” as far I understand means “we have no sponsoring for this, we wish we had, might try to get one, as long we don’t have one, we most likely won’t be working on this”.

Feel free to propose something, but I have no idea what could be said.

I was asking if Whonix already uses [b]apparmor-profiles[/b] package out of the box.
Yes. (Not enforced by default.)

Also very interesting:

/usr/share/doc/apparmor-profiles/extras contains lots of extra profiles.

With your help I am planning to create a profile for ucspi-tcp eventually after testing is finished.

For control-port-filter (which uses tcpserver), you mean? That’d be great!


#276

Then its better if this is addressed to the public Debian mailinglist, with a plea to ease the process of including Apparmor profiles. Besides this I still think its useful if you can also explain to Jacob the current obstacles and ask him to back up the proposal on the Debian mailinglist. You can ask him if he allows you to post his views on thi publically - in the same message.

Debian mailinglist:

Its becoming necessary to confine user-land software as much as possible to secure a system against advanced malware attacks perpetrated by criminal organizations and governments. Can you please make your Apparmor streamlining process easier to contribute to by outsiders so that profiles are collected,tested and used in Debian sooner than what the current guidelines allow?


#277

Don’t get me wrong. I admire your fresh perspective, idealism and motivation! However, from my perspective it looks naive. I’ve been following a few Debian lists for years and the outcome of such discussions is usually zero, so my motivation to post something like this is zero.

For example, “get Tor Browser into Debian” failed due to politics / bureaucracy:
https://lists.torproject.org/pipermail/tor-talk/2013-February/027486.html

Or see the more recent thread “concrete steps for improving apt downloading security and privacy” by Hans-Christoph Steiner, where he is doing a good job making his point, but to no avail:
https://lists.debian.org/debian-security/2014/07/msg00022.html
https://lists.debian.org/debian-security/2014/07/threads.html#00024

But that’s just my opinion. Please do make your own experience. Don’t let me slow you down. No need to take my opinion for it.

Feel free to post anything on any Debian mailing list and/or to contact intrigeri and/or Jacob. You can refer to the facts, link to what has been done/said an so forth. Please just don’t let anyone confuse it as an official Whonix ambassador task, please use “I”. Good luck! Looking forward for it! And I hope I am wrong, we’d be much better off if I was wrong.


#278

Debian’s inertia is no stranger to me, I’ll heed your advice and conserve my effort for something worthwhile.


#279

Yes, and Whonix is certainly worthwhile.

The AppArmor profiles development at Debian is either dead or non-existent. Or both.

I managed to catch John Johansen from the AppArmor development team (see https://www.whonix.org/forum/index.php/topic,97.msg1854.html#msg1854) and pointed him to this thread. He made a polite reply saying that he had a lot to do before the week-end but would take the time to have a look. i do not know if he did, but I could not see any increase in the views as I was naively hoping.

I believe that the best way to achieve something is to work together with Micah Lee and others on profiles we could propose upstream once and only once they are complete and tested. Number one should be the Tor Browser in Debian (we can consider it’s operational in Whonix). Then we have a chance to revive ticket #5791 and to have an impact.

For other profiles, I have some work started with VLC, and Okular (because it is a PDF reader too) is nearly finished. I’ll have to dig them out.


#280

Denied message in Tor Browser.
Pushed https://github.com/troubadoour/apparmor-profile-anondist/commit/7a8dc23b5c7c60cf51225942103a9a5832310d95


#281

[quote=“troubadour, post:280, topic:108”]Denied message in Tor Browser.
Pushed https://github.com/troubadoour/apparmor-profile-anondist/commit/7a8dc23b5c7c60cf51225942103a9a5832310d95[/quote]
Merged, thanks!